Skip to main content
  1. Docs
  2. Reference
  3. REST API Docs
  4. Schema
  5. OperationContextOIDCConfiguration

OperationContextOIDCConfiguration

    OperationContextOIDCConfiguration contains configuration for automatically fetching temporary credentials from cloud providers using the OIDC token issued by the service.

    Properties

    • aws OperationContextAWSOIDCConfiguration optional
      AWS contains AWS-specific configuration.
    • duration string optional
      Duration is the duration of the assume-role session.
    • policyArns array[string] optional
      PolicyARNs is an optional set of IAM policy ARNs that further restrict the assume-role session.
    • roleArn string required
      The ARN of the role to assume using the OIDC token.
    • sessionName string required
      The name of the assume-role session, sent to AWS STS as RoleSessionName. Supports ${var} placeholders for ${organization.name}, ${project.name}, ${stack.name}, ${operation}, ${deployment.version}, and ${deployment.id}. Recommended: include ${deployment.version} so each run is traceable in AWS CloudTrail (for example, ‘pulumi-${deployment.version}’). AWS caps RoleSessionName at 64 characters; if a rendered template would exceed that, the name variables (organization, project, stack) are truncated to fit while ${operation}, ${deployment.version}, and ${deployment.id} are preserved.
    • azure OperationContextAzureOIDCConfiguration optional
      Azure contains Azure-specific configuration.
    • clientId string optional
      ClientID is the client ID of the federated workload identity.
    • tenantId string optional
      TenantID is the tenant ID of the federated workload identity.
    • subscriptionId string optional
      SubscriptionID is the subscription ID of the federated workload identity.
    • gcp OperationContextGCPOIDCConfiguration optional
      GCP contains GCP-specific configuration.
    • projectId string required
      ProjectID is the numerical ID of the GCP project.
    • region string optional
      Region is the region of the GCP project.
    • workloadPoolId string required
      WorkloadPoolID is the ID of the workload pool to use.
    • providerId string required
      ProviderID is the ID of the identity provider associated with the workload pool.
    • serviceAccount string required
      ServiceAccount is the email address of the service account to use.
    • tokenLifetime string optional
      TokenLifetime is the lifetime of the temporary credentials.